The Hindu Business Line : `Zero-day' exploits Windows cursor vulnerability

Coimbatore April 2 A zero-day exploit that takes advantage of a vulnerability in the Windows cursor appears to be spreading rapidly. The attack, spotted on Friday last, appears to have intensified over the weekend, with a majority of exploits traced to different Chinese hacker groups.

Websense Securty Labs has spotted over 100 Web sites spreading the ANI (Windows Animated Cursor Handling) `zero-day' exploit. The Lab has made the Proof-of-Concept (POC) available and is expecting additional attacks to surface. Meanwhile, it has advised customers to block all uncategorized Web sites with the .exe. filter extension.

According to a Websense release, a majority of the attacks appeared to be downloading and installing generic password stealing code.

Sources said that the antivirus software was initially useless in combating the attack, resulting in dozens of Web sites getting exploited since Friday last.

Weekend activity

Senior Security Specialist at F-Secure, Mr Patrik Runalt, said his company saw a lot of activity relating to the ANI exploit during the weekend. "This vulnerability is really tempting for the bad guys. It is easy to modify the exploit, and it can be launched via Web or email fairly easily. We hope to see Microsoft release a patch for this exploit soon,'' he told Business Line.

Microsoft , according to reports last received, was yet to issue the patch. Mr Runalt said most of the activity around the ANI exploit was via dozens of malicious Web sites that attacked users when they visited the page with the most common versions of Internet Explorer. "On Sunday the first worm using this exploit to spread was found," he added.

China entry

A Websense survey has noted that most of the sites were hosted in China, and the most popular domain space being used was .com.